Connecting to Sessions

This topic describes how to connect to bastion sessions.

For information specifically about how to create and manage bastion sessions, see Managing Sessions. For information about creating and managing bastions, see Managing Bastions.

Bastions are Oracle-managed services. You use a bastion to create Secure Shell (SSH) sessions that provide access to other private resources. But you can't connect directly to a bastion with SSH and administer or monitor it like a traditional host.

When connecting to a bastion session, we recommend that you follow the SSH best practices described in Securing Bastion.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read compute instances
  • Read compute instance agent (Oracle Cloud Agent) plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.

Allowing Network Access From the Bastion

The VCN (virtual cloud network)  that the target resource was created in must allow incoming network traffic from the bastion on the target port.

For example, if you want to use a session to connect to port 8001 on a compute instance  from a bastion with the IP address 192.168.0.99, then the subnet used to access the instance needs to allow ingress traffic from 192.168.0.99 on port 8001.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Copy the Private endpoint IP address.
  5. Click the Target subnet.

    If the target resource is on a different subnet than the one used by the bastion to access this VCN, edit the target resource's subnet.

  6. From the Subnet Details page, click an existing security list that is assigned to this subnet.

    Alternatively, you can create a security list and assign it to this subnet.

  7. Click Add Ingress Rules.
  8. For Source CIDR, enter a CIDR block that includes the Private endpoint IP address of the bastion.

    For example, the CIDR block <bastion_private_IP>/32 includes only the bastion's IP address.

  9. For IP Protocol, select TCP.
  10. For Destination Port Range, enter the port number on the target resource.

    For Managed SSH sessions, specify port 22.

  11. Click Add Ingress Rules.

To learn more, see Security Lists.

Connecting to a Managed SSH Session

To connect to a compute instance using a Managed SSH session

Before you begin, you must create a Managed SSH session to the target instance .

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to a Managed SSH session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. To copy the command, next to SSH command, click Copy, and then click Close.
  6. Using a text editor, replace <privateKey> with the path to the private key of the SSH key pair that you provided when you created the session.
  7. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it.

Connecting to a Port Forwarding Session

To connect to the SSH server on a compute instance

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the SSH server on the instance , which by default is port 22.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

You can use a port forwarding session to connect to instances that don't meet all requirements for a Managed SSH session.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. To copy the command, next to SSH command, click Copy, and then click Close.
  6. Using a text editor, replace <privateKey> with the path to the private key and <localPort> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default SSH server port is 22.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Use an SSH client to connect to localhost (or 127.0.0.1) and the local port you specified, <localPort>.

    Provide the name of a valid user on the instance's operating system.

    ssh -i <privateKey> -p <localPort> <user>@localhost

    The default username on most platform images is opc. Example:

    ssh -i <privateKey> -p 8001 opc@localhost

    If your private key was created with a passphrase, you are prompted to enter it.

To connect to Windows using the Remote Desktop Protocol (RDP)

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the RDP port on the Windows instance , which by default is port 3389.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To create the SSH tunnel using PuTTY instead of OpenSSH (the ssh command), see To connect to Windows using RDP and PuTTY.

To connect to a Windows instance using an RDP client and a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. To copy the command, next to SSH command, click Copy, and then click Close.
  6. Using a text editor, replace <privateKey> with the path to the private key and <localPort> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default RDP server port is 3389.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open an RDP client and connect to localhost (or 127.0.0.1) and the local port you specified, <localPort>.

    Provide the name of an existing user on the Windows instance.

To connect to Windows using RDP and PuTTY

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the RDP port on the Windows instance , which by default is port 3389.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

PuTTY is an open source SSH client for Windows. You must specify a private key file that is in PuTTY's proprietary format (.ppk). You can use the PuTTYgen tool to import and convert a key from OpenSSH format.

To connect to a Windows instance using PuTTY, an RDP client, and a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. From the SSH command, copy the following information.
    • Bastion host name
    • Instance IP address and port number
    ssh -i <privateKey> -N -L <localPort>:<instanceIP>:<instancePort> -p 22 <bastionHost>
  6. Open PuTTY.
  7. On the Session page, update these settings.
    • Host Name - The bastion's host name
    • Port - 22
  8. From the Category panel, click SSH.
  9. Select the option Don't start a shell or command at all.
  10. From the Category panel, expand SSH, and then click Tunnels.
  11. Enter the following information.
    • Source port - You can use any available local port. The default RDP server port is 3389.
    • Destination - Enter the instance IP address and port number, separated by a colon, <instanceIP>:<instancePort>. The default RDP server port is 3389.
  12. Click Add.
  13. From the Category panel, expand SSH, and then click Auth.
  14. For Private key file for authentication, click Browse and select the private key file that you used to create the bastion.

    The .ppk file extension indicates that the private key is in PuTTY's proprietary format. Specify a key of this format when using PuTTY. You can use the PuTTYgen tool to import and convert a key from OpenSSH format.

  15. Click Open.

    A terminal opens with the message "Authenticating with public key." The process does not exit. Do not close the terminal.

    If your private key was created with a passphrase, you are prompted to enter the passphrase.

  16. Open an RDP client and connect to localhost (or 127.0.0.1) and the local port you specified, Source port.

    Provide the name of an existing user on the Windows instance.

To connect to an Autonomous Transaction Processing Database

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the database port, which by default is port 1521.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to an Oracle Database using a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. To copy the command, next to SSH command, click Copy, and then click Close.
  6. Using a text editor, replace <privateKey> with the path to the private key and <localPort> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default Oracle Database port is 1521.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open a database client such as Oracle SQL*Plus or Oracle SQL Developer, and then connect to localhost (or 127.0.0.1) and the local port you specified, <localPort>.

    Provide the name and password of an existing user on the database.

To connect to a MySQL DB System

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the database port, which by default is port 3306.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to a MySQL DB System using a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH command.
  5. To copy the command, next to SSH command, click Copy, and then click Close.
  6. Using a text editor, replace <privateKey> with the path to the private key and <localPort> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default MySQL Database port is 3306.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open a database client such as MySQL Workbench and connect to localhost (or 127.0.0.1) and the local port you specified, <localPort>.

    Provide the name and password of an existing user on the database.